Prepayment Penalties in Commercial Loan Documents

Contractual prepayment premiums—also called make-whole provisions or prepayment penalties—offer yield protection to a lender in the event a borrower repays its loan prior to its scheduled maturity date. Such provisions are often found in higher-value loans with longer terms, including those offered to distressed companies trying to clean up their balance sheet or restructure debt in an attempt to avoid a bankruptcy filing. Some categorize prepayment premiums as a hedge against the risk of loss of future interest resulting from a borrower’s early payoff, whereas others describe the premium as the price a borrower pays for the autonomy to prepay or refinance its debt. Whichever way you put it, prepayment premiums endeavor to increase predictability for lenders.

Although these provisions are increasingly common in commercial loan agreements and bond indentures, and even more so where the borrower is distressed, that is not to say they are uncontroversial. In many cases, make-whole provisions compensate commercial lenders and bondholders in an amount significantly exceeding that which the name would imply, contemplating returns that often exceed the current fair value of the debt. In addition, because they are more common in larger loans, make-whole amounts are typically quite significant. Indeed, in In re Ultra Petroleum, 913 F.3d 533 (5th Cir. 2019), the value of the make-whole amount and postpetition interest at stake exceeded $380 million.

The Ultra Petroleum Decision

To be clear, the Ultra Petroleum decision is not the first to create uncertainty in the analysis of make-whole provisions under the Bankruptcy Code, and it is true that objectors seeking to avoid make-whole claims enjoyed their choice of several grounds of attack far before the Fifth Circuit’s ruling. For example, make-whole claims had been disallowed as unenforceable under applicable nonbankruptcy law (including based on arguments that the claims were a penalty as opposed to a reasonable and enforceable liquidated damages provision), as unreasonable under section 506(b) of the Bankruptcy Code (with respect to secured claims), or in a handful of cases, as unmatured interest under section 502(b)(2). In fact, prior to Ultra Petroleum, the Second Circuit in In re MPM Silicones, LLC, 874 F.3d 787 (2d Cir. 2017) and the Third Circuit in In re Energy Future Holdings Corporation, 842 F.3d 247 (3d Cir. 2016), had issued completely conflicting opinions on whether the automatic acceleration of debt caused by a bankruptcy filing triggers payment of a make whole.

In the January 2019 decision, the Fifth Circuit, albeit in dicta, sided with the small minority of bankruptcy courts that held that make-whole claims constitute unmatured interest because, in substance, they seek to compensate a lender for future interest payments due to early repayment of debt. Thus, the Ultra Petroleum ruling, which strongly suggests that section 502(b)(2) disallows any claim that is the economic equivalent of unmatured interest, bolsters arguments for the across-the-board disallowance of make-whole claims under the Bankruptcy Code.

The Post-Ultra Petroleum State of the Law

Although the successful recovery of make-whole amounts from a chapter 11 debtor was far from a foregone conclusion even pre-Ultra Petroleum, the decision unquestionably alters what had been at least a somewhat navigable legal landscape, and raises questions about the lending market’s response in the longer term.

The pre-Ultra Petroleum state of the law was marked by specific guidelines set forth in various cases that provided a playbook by which sophisticated bankruptcy counsel could surgically craft loan documents to avoid the pitfalls of make-whole provisions by including carefully bargained-for provisions on choice of law, yield maintenance formulas estimating the damages to lenders resulting from prepayment, and clearly defined conditions to payment, including explicit language indicating the make whole is payable on acceleration. Thus, notwithstanding the existing circuit split, lenders could draft to hedge against these risks and exert their control over borrowers to push for a favorable jurisdiction in the event of bankruptcy.

The ruling will undoubtedly have considerable impact on the allowability of a lender’s make-whole claim in courts within the Fifth Circuit. However, unless and until the Supreme Court offers guidance on how courts should approach the issue, the new, even less predictable landscape of make-whole claims in bankruptcy means significantly more uncertainty for lenders relying on make-whole recoveries. In a realm where lenders already exercise a great deal of control, the uncertainty caused by the ruling, coupled with the typically significant value of the make-whole claims at stake, may result in increased rigidity and tension in chapter 11 negotiations. To compensate for this risk, lenders may also resort to charging higher interest rates and fees on distressed deals, or even opting not to lend to distressed borrowers. Although the ultimate impact of Ultra Petroleum remains to be seen, the line between risky and too risky can be a thin (and expensive) one to tread.

A receivership occurs when a court appoints a third party to exercise independent oversight on specific assets. Although receiverships are commonly involved in real estate transactions, they can also arise when commercial borrowers are in distress, in cases of corporate deadlock, and in the event of litigation where the rights of the parties cannot otherwise be fully protected. In some cases, even for large operating companies, courts have appointed receivers and granted the receivers authority to take complete control of defendant’s business operations, including determining whether to sell or wind-down business affairs.

Contracts, particularly lending agreements, often contain clauses authorizing appointment of a receiver upon default. The question is: how effective are these provisions for operating companies (versus single asset real estate matters in which receivers are often appointed on an ex parte basis[1])? This issue often arises in the context of a contentious relationship in which the borrower refuses to file a bankruptcy case, and commencing an involuntary case is unavailable to the lender. The answer appears to be that although the receivership provision alone is not likely to be determinative as to whether to appoint the receiver, it may be considered by courts as a strong factor in the lender’s favor.

The issue over the effectiveness of a receivership provision was recently tested in The Huntington National Bank v. Sakthi Automotive Group USA, Inc., et al.[2] In Sakthi, Sakthi Automotive Group (Sakthi Automotive), a critical component supplier of automotive parts, defaulted on its loan obligations to Huntington National Bank (the Bank). The Bank sought a preliminary injunction prohibiting Sakthi Automotive from destroying, selling, transferring, or performing other similar acts with respect to the collateral. The Bank also sought the appointment of a receiver with broad powers, including to operate and sell the company pursuant to the terms of the parties’ credit agreement:

Upon the occurrence of an Event of Default and at all times thereafter, the Lender shall be entitled to the immediate appointment of a receiver for all or any part of the Collateral, whether such receivership is incidental to the proposed sale of the Collateral, pursuant to the Uniform Commercial Code or otherwise. Each Loan Party hereby consents to the appointment of such a receiver without notice or bond, to the full extent permitted by applicable statute or law; and waives any and all notices of and defenses to such appointment and agrees not to oppose any application therefor by the Lender, but nothing herein is to be construed to deprive the lender of any other right, remedy, or privilege the Lender may have under law to have a receiver appointed, provided, however, that, the appointment of such receiver shall not impair or in any manner prejudice the rights of the Lender to receive any payments provided for herein. Such receivership shall at the option of the Lender, continue until full payment of all the Obligations.

The court denied the motion for a preliminary injunction, finding, among other things, that the Bank could not establish irreparable harm because its injury could be fully compensated by money damages. However, irreparable harm was not a necessary factor for the court to consider in appointing a receiver; therefore, the Bank’s request to protect its collateral could be accomplished through appointment of a receiver.

In addition to recognizing Sakthi Automotive’s express contractual consent to the appointment of a receiver, the court also considered several factors traditionally applied in federal cases appointing receivers:

1) the existence of a valid claim by the moving party
2) alleged fraudulent conduct
3) imminent devaluation, concealment, or loss of the property
4) inadequate alternative legal remedies (such as money damages)
5) lack of a less drastic equitable remedy
6) whether appointment of a receiver will do more harm than good

As an equitable remedy, case law regarding the appointment of receivers generally suggests the weight of each factor is within the court’s discretion.

In initially considering the contractual provision, the court determined that there was no dispute that at least one default existed under valid contracts. The court found the unambiguous receivership provision to weigh in favor of appointing a receiver but continued to consider the factors referenced above. In so doing, the court determined that the Bank met the first three factors. As to the sixth factor, Sakthi Automotive failed to establish that the receiver will do more harm than good. That left the fourth and fifth factors, and as to these, the court placed great weight on the receivership provision and found that these factors had “little relevance” given the existence of the contractual provision. The fact the court gave “little relevance” to the fourth factor due to the contractual provision is particularly noteworthy in that the court previously determined the Bank could be fully compensated with money damages when denying the preliminary injunction request.

In its motion for reconsideration, Sakthi Automotive challenged only the fraudulent conduct, diminished value, and the “more harm than good” factors—not the factors given “little relevance” in light of the contractual provision. The court denied the reconsideration motion and noted that although there is disagreement about whether a contractual receiver provision is dispositive, in this matter both the contractual provision and the factors outlined in receivership case law favored a receivership in this case. The court entered an order granting the receiver broad operating power over the company assets.

In the end, for operating companies there are numerous reasons why a court may be reluctant to find that a receiver provision coupled with the existence of a default would indisputably lead to appointment of a receiver without proof of additional considerations. However, the existence of the contractual provision may be a strong factor considered and tip the scale in favor of the appointment when weighing the other factors. Indeed, a court may, as it did in Sakthi, determine that certain factors are met by the existence of a contractual provision.

[1] For real estate matters, see generally Uniform Commercial Real Estate Receivership Act, § 6, cmt. 2 (“there is significant recent authority supporting the view that a receivership clause alone provides a sufficient basis to appoint a receiver after the mortgagor’s default.”) (citations omitted). See also Britton v. Green, 325 F.2d 377, 382 (10th Cir. 1963) (holding that a contractual provision involving oil and gas leases was sufficient to appoint a receiver: “By the terms of the mortgage, the mortgagor expressly agreed that in the event of a foreclosure suit, the mortgagee is entitled, ‘as a matter of right,’ to the appointment of a Receiver to take possession and control of, operate, maintain and preserve the mortgaged property. . . .”).

[2] 2:19-cv-10890 (E.D. Mich. 2019). See also PNC Bank, Nat’l Ass’n v. Goyette Mech. Co., 15 F. Supp. 3d 754, 758 (E.D. Mich. 2014) (“the parties’ advance consent to the appointment of a receive (sic) is a strong factor weighing in favor of appointing one.”); Am. Bank & Tr. Co. v. Bond Int’l Ltd., No. 06-CV-0317-CVE-FMH, 2006 U.S. Dist. LEXIS 58361, at *21–*23 (N.D. Okla. Aug. 17, 2006) (unpublished) (appointing a receiver for an operating company’s collateral based on the Tenth Circuit’s approval of a security agreement’s receivership provision in Britton, supra note 1, and case law equitable factors).

Until recently, legal principles surrounding unfairness, deception, and abusiveness have been defined primarily at the federal level, yet with perceived federal retrenchment from consumer protection, states have increasingly taken a hard look at their roles in protecting their citizens from unfair, deceptive, or abusive acts or practices (UDAP/UDAAP). Recent legislative changes in Maryland and Arkansas highlight the different approaches states are taking in how they regulate UDAP/UDAAP and through those changes are choosing to either prioritize consumer protection or protect industry from perceived overreach.

Maryland

On May 15, 2018, Maryland enacted House Bill 1634 and Senate Bill 1068, effective October 1, 2018, which substantively amended the Maryland Consumer Protection Act (the MCPA).[1] Before the amendment, the MCPA generally prohibited “unfair or deceptive trade practices” in addition to prohibiting certain specific practices.[2] The amendments to the MCPA increased the scope of the statute, which now generally prohibits “unfair, abusive or deceptive trade practices.”[3]

The amended MCPA now also specifically provides that violations of the federal Military Lending Act and the federal Servicemembers Civil Relief Act will be considered unfair, abusive, or deceptive trade practices in violation of the MCPA.[4] In addition, the amended MCPA now provides for significantly increased penalties. Before the amendments, the MCPA provided for penalties of up to $1,000 for an initial violation and $2,500 for subsequent violations. These penalties have been increased to $10,000 and $25,000, respectively.[5]

The increased scope of the MCPA aligns with the Consumer Financial Protection Bureau’s authority to pursue enforcement actions related to “unfair, deceptive and abusive acts or practices” under Dodd-Frank. Maryland House Bill 1634 and Maryland Senate Bill 1068 added a new provision to the Miscellaneous Consumer Protection Provisions Title[6] that encourages the Office of the Attorney General and the Commissioner of Financial Regulation to assert their authority to bring actions for “unfair, abusive or deceptive trade practices” under Dodd-Frank. House Bill 1634 and Senate Bill 1068 also added another new provision[7] to the Miscellaneous Consumer Protection Provisions Title that increases appropriations to both the Office of the Attorney General and the Commissioner of Financial Regulation for the purposes of enforcement of financial consumer protection laws. Consumers continue to have a private right of action for both damages and attorney’s fees for violation of the MCPA under its expanded coverage.[8]

Overall, the amendments to the MCPA and the related amendments to the Miscellaneous Consumer Protection Provisions Title favor consumers by increasing the scope of MCPA protections, promoting enforcement of existing standards by state regulators, and increasing the penalty for violations of the consumer protection statutes.

Arkansas

In contrast to Maryland’s efforts to expand consumer protection under the MCPA, Arkansas has taken steps to restrict consumer protection, particularly private rights of action.

The Arkansas Deceptive Trade Practice Act (ADTPA)[9] generally prohibits and makes unlawful “deceptive and unconscionable trade practices.”[10] The ADTPA also designates certain specific practices as unlawful.[11] On April 7, 2017, Arkansas enacted House Bill 1742 (now Act 986), effective August 1, 2017, which substantively amended the ADTPA.

Before the amendment, the ADTPA allowed a private right of action for any “person who suffers actual damage or injury as a result of an offense or violation” of the ADTPA.[12] A claimant could recover actual damages.[13] A successful claim under the ADTPA did not require a showing of monetary damages or reliance on the practice that violated the ADTPA.

The amended ADTPA now limits a private right of action to a person that suffers “an actual financial loss as a result of his or reliance on the use of a practice declared unlawful under [the ADTPA].”[14] The claimant may only recover “his or her actual financial loss proximately caused by the offense or violation, as defined under the [the ADTPA].”[15] The amended ADTPA further provides that “[t]o prevail on a claim brought under Ark. Code Ann. § 4-88-113(f)(1), a claimant must prove individually that he or she suffered an actual financial loss proximately caused by his or her reliance on the use of a practice declared unlawful under [the ADTPA].”[16] The amended ADTPA defines “actual financial loss” as “an ascertainable amount of money that is equal to the difference between the amount paid by a person for goods and services and the actual market value of the goods or services provided.”[17] Accordingly, the amended ADTPA now requires a claimant to show actual monetary damages or injury. Furthermore, a claimant must now also show that the damages or injury were “proximately caused by his or her reliance on the use of a practice declared unlawful under [the ADTPA].”[18]

The Arkansas Court of Appeals found that reliance was not necessarily required for a successful claim under the prior version of the ADTPA.[19] Courts applying Arkansas law have held that the amended ADTPA requirements for showing monetary damages and reliance are therefore substantive in nature and not procedural.[20] Accordingly, the courts have held that these requirements are not retroactive and will not apply to purchases made before August 1, 2017.[21]

The amended ADTPA also now prohibits private class-action claims under the ADTPA, with the exception of claims asserting violations of the Arkansas Constitution, Amendment 89, which provides the maximum interest rates a lender may impose.[22] Before the amendment, the ADTPA did not expressly limit private class-action claims.

Consumer Protection Versus Protection from Frivolous Lawsuits

Maryland and Arkansas demonstrate divergent approaches to consumer protection through application of UDAP/UDAAP statutes. Maryland has adopted an expansive view of what constitutes a violation of the MCPA, going beyond even UDAAP standards derived from the Dodd-Frank Act by codifying MLA and SCRA violations as per se unfair, deceptive, or abusive acts. Coupled with increased funding for enforcement by the Maryland Attorney General and its already robust private right of action, the recent MCPA amendments send a strong message that Maryland will be at the forefront of consumer protection in the coming years.

Arkansas reflects a separate priority: concern that malleable concepts of unfairness and deception may be used to justify frivolous lawsuits and class actions where no monetary injury exists. Similarly, at the federal level, “reliance” is not an element of an unfairness, deception, of abusiveness claim. This additional requirement makes proving an ADTPA violation materially more difficult—even where monetary injury exists, consumers must prove that they understood and relied on a representation to their detriment.[23]

These approaches represent opposite ends of the pro-consumer versus pro-industry approach to state UDAP/UDAAP laws. As consumer protection shifts to states, the current reality for both consumers and industry may be this patchwork approach.

[1]      Md. Code Ann., Com. Law §§ 13-101 et seq.

[2]      Id. §§ 13-303(k), 13-101 et seq.

[3]      Id. § 13-303(k) (emphasis added).

[4]      Id. § 13-301(14)(xxxi), (xxxii).

[5]      Id. § 13-410(a), (b).

[6]      Id. § 14-4103.

[7]      Md. Code Ann., Com. Law § 14-4104.

[8]      Id. § 13-408.

[9] Ark. Code Ann. §§ 4-88-101 et seq.

[10] Id. § 4-88-107.

[11] Id. § 4-88-108.

[12] Id. § 4–88–113.

[13] Id. § 4–88–113.

[14] Id. § 4-88-113(f)(1).

[15] Ark. Code Ann. § 4-88-113(f)(1).

[16] Id. § 4-88-113(f)(2).

[17] Id. § 4-88-102(9).

[18] Id. § 4-88-113(f)(2).

[19] Pleasant v. McDaniel, 550 S.W.3d 8, 12 (Ark. Ct. App. 2018).

[20] See Mounce v. CHSPSC, LLC, 2017 WL 4392048, at *7 (W.D. Ark. Sept. 29, 2017); In re Restasis (Cyclosporine Ophthalmic Emulsion) Antitrust Litigation, 2018 WL 5928143 at *4 (E.D. Ny. Nov. 13, 2018).

[21] Id.

[22] Ark. Code § 4-88-113(f).

[23] The related concept of materiality is presumed under federal deception law. See FTC Policy Statement on Deception (1983).

The law’s definition of “good faith” is often amorphous, fact specific, and difficult to spell out. No doubt, courts and factfinders have grappled with it for centuries. Yet what explains Maryland’s aversion to interpreting it—or acknowledging it—in the “fair consideration” definition in the Uniform Fraudulent Conveyance Act (UFCA)?

New York and Maryland are the only jurisdictions still applying the UFCA (most other states—43 of them—have moved on to the modernized Uniform Fraudulent Transfer Act), and not surprisingly, New York courts have spilled a lot of ink interpreting and articulating the rights of creditors seeking to void fraudulent conveyances. At this point in New York, there is little ambiguity on what good faith means in the constructive fraudulent conveyance context when insolvent businesses are moving money and assets.

Under the constructive fraudulent conveyance statute of the UFCA,

Every conveyance made and every obligation incurred by a person who is or will be rendered insolvent by it is fraudulent as to creditors without regard to his actual intent, if the conveyance is made or the obligation is incurred without a fair consideration.

“Fair consideration” is provided in exchange for property or an obligation if:

(a) In exchange for such property, or obligation, as a fair equivalent therefor, and in good faith, property is conveyed or an antecedent debt is satisfied, or

(b) The property, or obligation is received in good faith to secure a present advance or antecedent debt in amount not disproportionately small as compared with the value of the property, or obligation obtained.

On a plain reading, the statute permits the avoidance of a transfer as constructively fraudulent even if the debtor receives equivalent value if the plaintiff can prove that the value was not provided in good faith. Striking down such conveyances is permitted regardless of the debtor-transferor’s intent.

In New York, as found in the definition, fair consideration is present when (1) the recipient of the debtor’s property either conveys property in exchange or discharges an antecedent debt; (2) the debtor receives the “fair equivalent” of the property conveyed; and (3) the exchange is undertaken in good faith. See Sharp Int’l Corp. v. State St. Bank & Trust Co. (In re Sharp Int’l Corp.), 403 F.3d 43, 53-54 (2d Cir. 2005). The New York Court of Appeals has identified a few parameters defining “good faith”—an honest belief in the activities in question; no intent to take unconscionable advantage of others; no intent to delay, hinder, or defraud others—and certain circumstances that constitute bad faith as a matter of law; notably, transfers to directors, officers, and shareholders of insolvent corporations in derogation of the rights of general creditors. Farm Stores, Inc. v. School Feeding Corp., 102 A.D.2d 249 (2d Dep’t 1984). Other courts interpreting New York law have interpreted good faith to apply to any transaction between an insolvent corporation and a corporate insider. See Hirsch v. Gersten (In re Centennial Textiles), 220 B.R. 165, 172 (Bankr. S.D.N.Y. 1998) (“under New York law, transfers from an insolvent corporation to an officer, director or major shareholder of that corporation are per se violative of the good faith requirement of DCL § 272 and the fact that the transfer may have been made for a fair equivalent is irrelevant.”); Allen Morris Commercial Real Estate Servs. Co. v. Numismatic Collectors Guild, Inc., No. 90 Civ. 264, 1993 WL 183771, 1993 U.S. Dist. LEXIS 7052, at *28-*30 (S.D.N.Y. May 26, 1993) (“it has been held that transfers from an insolvent corporation to an officer, director and major shareholder of that corporation are per se violative of the good faith requirement of Section 272.”).

Although the fact patterns are often nuanced, it’s undeniable that good faith is of great significance under New York’s UFCA when insolvent businesses are making transfers or entering into transactions with insiders.

Given the robust attention to good faith in New York, it seems safe to assume that the other UFCA jurisdiction—Maryland—might perform a similar test. Or maybe not.

Recently, in United Bank v. Buckingham, 761 F. App’x 185 (4th Cir. 2019), the Fourth Circuit Court of Appeals reversed a decision by the late Judge Roger W. Titus assessing whether fair consideration existed when an insolvent business changed the beneficiary designations on two life insurance policies the company purchased for its CEO.

The judgment creditor bank in the case was owed millions of dollars by the bankrupt debtor business, its CEO, and his wife. Prior to becoming insolvent, the company purchased life insurance policies as an employment benefit to the CEO. Upon the CEO’s death, the company would be reimbursed its premium payments (from the death benefits), and with the beneficiary designated by the CEO receiving the remainder.

After a protracted default by the company, a forbearance agreement between the parties, the CEO diminished by dementia, and his son David appointed guardian, the debtor company’s board approved a sale of the policies. The policies were sold for $110,000—a value determined by the life insurance company pursuant to an IRS formula—to a trust. The trustee of the trust was David, and the beneficiaries were David and his two siblings.

The bank alleged that the transfer of the policies to the trust for only $110,000 was fraudulent because it lacked fair consideration in that the policies were conveyed from the debtor company to the trust despite the fact that the policies were cashed in for $750,000 soon after the sale. The court disagreed with the bank and found that “the $110,000 was a ‘fair equivalent’ for the John Hancock policies.” In short, David—voting for his ill father—and his brother Thomas agreed to transfer the policies from the defunct business to a trust, of which David was both the trustee and a beneficiary, along with his two other siblings, for $110,000 despite evidence that the policies were cashed in for $750,000 after the sale.

The district court’s decision focused solely on fair equivalence and undertook a financial valuation of the policies, ultimately agreeing with David’s position that the policies’ value was $110,000 based on overdue premium payments, negative surrender values, and the fact that the policies were in danger of lapsing and becoming worthless; the policies were also subject to a neutral evaluation from John Hancock based on an IRS-approved formula.

Although the court examined the financial considerations in great detail—and per the “fair equivalent” reference definition—no mention of good faith can be found in the opinion.

In reversing the district court, Judge A. Marvin Quattlebaum, writing for the Fourth Circuit, reversed Judge Titus because there was a genuine factual dispute “concerning the fairness of the consideration” paid for the policies; yet, instead of assessing whether the insolvent business sold the policies for a (1) fair equivalent and (2) in good faith—as the statute requires—the panel held that the trial court had “improperly weighed the evidence” in the defendant’s favor at the summary judgment stage. Indeed, Judge Quattlebaum’s opinion offers no mention of good faith of Maryland’s UFCA (to be fair, he’s not the first to omit it, nor likely the last).

Being on both sides of a transaction is usually a red flag for good faith. See Matter of Bernasconi v. Aeon, LLC, 963 N.Y.S.2d 437 (N.Y. App. Div. 3d Dep’t 2013) (“[W]here . . . a corporate insider participates in both sides of the transfer and the insider controls the transferee, the transfer will be deemed to have been made in bad faith if made to a creditor’s detriment . . . .”) But not here.

Although New York has a robust body of law evaluating good faith and arguably would have denied summary judgment had this case been decided under New York law, the failure of the Buckingham courts to undertake even a minimal good-faith examination of the sale to the trust—and ignore that those voting for the policy would receive the benefits—all raise significant and legitimate doubts as to whether courts are properly interpreting Maryland’s “fair consideration” definition in the UFCA. Although Judge Titus acknowledged Maryland’s deficiency in noting that that there is no dispositive authority as to how to determine fair consideration under specific circumstances, under his and the Fourth Circuit’s interpretation, the “and in good faith” clause may as well have been removed from the “fair consideration” definition found at Md. Code § 15-204. United Bank v. Buckingham, 301 F. Supp. 3d 561 (D. Md. 2018).

Until Maryland’s UFCA “fair consideration” definition is fully interpreted—with at least an acknowledgment to the good-faith clause—creditors may well be advised to seek a nexus to New York law, or a similarly favorable jurisdiction, if they hope to truly enforce their rights.

Since common law, stockholders have enjoyed a qualified right to inspect the corporation’s “books and records” for any “proper purpose”—i.e., a purpose reasonably related to the stockholder’s interests as a stockholder. Codified in state corporation statutes such as section 220 of the Delaware General Corporations Law (DCGL), these stockholder inspection rights were exercised infrequently until the Delaware courts began to encourage stockholders to utilize these “tools at hand” to obtain information necessary to plead demand excusal in derivative actions. As the Delaware Supreme Court noted in the seminal decision of Rales v. Blasband: “Surprisingly, little use has been made of section 220 as an information-gathering tool in the derivative context.” 634 A.2d 927, 935 n.10 (Del. 1993). Over the last 20 years, “Delaware courts have encouraged stockholders to use the ‘tools at hand’ (e.g., Section 220) to gather information before filing complaints that will be subject to heightened pleading standards.” Lavin v. West Corp., 2017 WL 6728702, at *9 (Del. Ch. Dec. 29, 2017). The significant increase in section 220 litigation over the last decade is a testament to the plaintiffs’ bar heeding the Delaware courts’ admonitions.

At the same time that section 220 books and records demands have become commonplace, rapid technological advances have driven the proliferation of the forms of media in which corporate information is kept, including, for instance, e-mails, text messages, and other electronic communications and records not traditionally viewed as a corporation’s “books and records.” The issue is only further complicated by the fact that officers’ and directors’ use of personal computers, smartphones, and personal e-mail accounts potentially renders communications beyond the direct control of the corporations whom the officers and directors serve. Until relatively recently, Delaware courts have been hesitant to compel the production of such “nontraditional” books and records in section 220 litigation, given that the extant jurisprudence dictates that a section 220 summary proceeding is far from coextensive in scope with Rule 34 discovery, and a stockholder is only entitled to those books and records deemed “necessary and essential” to achieving a proper purpose. Typically, board minutes, resolutions, and the like are deemed sufficient because the courts are mindful that a stockholder’s inspection rights must be balanced against the potential for burdensome and abusive “fishing expeditions” that mirror discovery requests in plenary corporate litigation. Nonetheless, as technological advances have expanded the range of media used to conduct business, the law has also evolved regarding access to e-mail, text messages, and other forms of communication as books and records of the corporation. Although still evolving, some general principles have emerged that generally guide when the Delaware courts will permit access to electronic communications in section 220 proceedings.

Who cares? Corporations and their officers and directors absolutely should. Section 220 demands have become virtually a necessary prerequisite to any stockholder derivative action, and the books and records that stockholders receive and use to draft their complaint can be outcome-determinative on a motion to dismiss. Whereas board minutes and more “formal” corporate records will allow little room for “creative interpretation” by the plaintiffs’ bar, the same cannot be said of e-mail communications where plans and decisions are informally deliberated in real time, perhaps satirically or within a context that may not be evident when portrayed with hindsight by counsel whose objective is to prove a breach of fiduciary duty. Although producing e-mails in a books and records case cannot always be avoided, there are steps corporations can take on a clear day to mitigate the risk.

The seminal decision granting access to e-mails is a 2013 nonpublished transcript ruling, Ind. Elec. Workers Pension Tr. Fund IBEW v. Wal–Mart Stores, Inc., 7779–CS, at 97–98 (Del. Ch. May 20, 2013) (Strine, C.), which ironically does not directly address the issue of whether e-mails are corporate records subject to section 220 inspection rights. In Wal-Mart, then-Chancellor Strine ordered the production of private communications between officers and directors concerning an alleged bribery scandal under investigation by the plaintiff. In the process, the issue arose as to whether e-mails and electronic documents created or maintained on personal devices were the appropriate subject of a section 220 demand. The court drew no distinctions between e-mails and documents created by employees upon their personal devices verses those generated within the company’s official systems, concluding that where the documents were created or maintained was not controlling: “In terms of this issue of the home devices . . . if you use your home computer to handle Wal-Mart information, I don’t think that many companies would believe that . . . that makes it their personal information.” Given that the e-mails were deemed corporate records necessary for the plaintiff to conduct its investigation, they were to be produced irrespective of where they were physically created or maintained. Although the unpublished Wal-Mart decision did not directly address when the production of e-mails is appropriate in a section 220 action, its affirmance on appeal was routinely cited by the plaintiffs’ bar for that principle.

The issue arose again in Chammas v. Navlink, Inc., 2016 WL 767714 (Del.Ch. 2016), a case involving a director’s demand for books and records pursuant to the more expansive rights that directors have as compared to stockholders. In Chammas, the director plaintiff sought to “investigate whether ‘the other members of the Board and management are excluding them from board business and related communications,’ including emails prior to Board meetings and alleged Secret Meetings.” Consistent with Wal-Mart, Vice Chancellor Noble first observed that whether a document or communication is stored on the company’s servers is “not necessarily determinative of whether it constitutes a book or record of the company.” More important, the court concluded, is whether the book or record must be “in the possession or control of the corporation.” Second, recognizing the importance of burden considerations in the section 220 context, the court disclaimed that although its “holding is not to be interpreted as a blanket prohibition against inspection of private communications among directors, subjecting Section 220 proceedings to such broad requests, even by directors, runs contrary to the ‘summary nature of a Section 220 proceeding.’” Finally, the court observed that the books and records of the company are “those that affect the corporation’s rights, duties, and obligations . . . .” The court’s ultimate rejection of the demand for e-mails turned on the insufficiency of the plaintiff’s evidence of wrongdoing to warrant their production: “Mere suspicions of pre-meeting collusion among board members or board members and management, in the context of a Section 220 action, is insufficient to compel the production of private communications between such officers and directors . . . .”

The same year Chammas was decided, Vice Chancellor Laster analyzed whether e-mails may be within the scope of books and records obtainable pursuant to section 220. In Amalgamated Bank v. Yahoo! Inc., 132 A.3d 752 (Del. Ch. 2016), a stockholder sought to investigate the hiring of Yahoo’s chief operating officer, and in that connection sought e-mails from the company’s CEO. The court began its analysis by categorically rejecting the argument that e-mails are per se beyond section 220’s scope. Vice Chancellor Laster observed the evolution of corporate record-keeping and the modern reality that virtually all books and records are now kept electronically: “Limiting ‘books and records’ to physical documents ‘could cause Section 220 to become obsolete or ineffective.’” The court then relied upon Wal-Mart to reject the argument that the company’s search for documents would be limited to the company’s devices, as opposed to a custodian’s personal device, holding that “a corporate record retains its character regardless of the medium used to create it.” As for the test to determine whether e-mails must be produced, the court limited itself to a single consideration: “As with other categories of documents subject to production under Section 220, what matters is whether the record is essential and sufficient to satisfy the stockholder’s proper purpose, not its source.”

A few years later in Schnatter v. Papa John’s International, Inc., 2019 WL 194634 (Del. Ch. 2019), Chancellor Bouchard addressed the test suggested in Chammas as to whether e-mails (or any documents) are deemed books and records of the company—i.e., whether they are “those that affect the corporation’s rights, duties, and obligations . . . .” The defendant in Papa John’s resisted production of e-mails between directors discussing former director Schnatter, citing Chammas and claiming that “Schnatter is just curious about what his fellow fiduciaries were saying about him.” The court rejected the argument because the scope of documents ordered to be produced would be limited to those related to the plaintiff’s proper purpose, thus satisfying the standard. Commenting further, Chancellor Bouchard then effectively agreed with Vice Chancellor Laster’s reasoning for producing e-mails as articulated in Yahoo, albeit qualified by consideration of the additional costs inherent in producing electronic communications:

A further word is in order regarding emails and text messages from personal accounts and devices. The reality of today’s world is that people communicate in many more ways than ever before, aided by technological advances that are convenient and efficient to use. Although some methods of communication (e.g., text messages) present greater challenges for collection and review than others, and thus may impose more expense on the company to produce, the utility of Section 220 as a means of investigating mismanagement would be undermined if the court categorically were to rule out the need to produce communications in these formats.

Citing then-Chancellor Strine’s decision in Wal-mart, the court held that “if the custodians identified here . . . used personal accounts and devices to communicate about changing the Company’s relationship with Schnatter, they should expect to provide that information to the Company.” Expressly disclaiming the promulgation of any bright-line rule, Chancellor Bouchard grounded the analysis in “balanc[ing] the need for the information sought against the burdens of production and the availability of the information from other sources, as the statute contemplates.”

If there were any question about whether e-mails are properly within the scope of section 220 demands, the Delaware Supreme Court resolved it in KT4 Partners LLC v. Palantir Technologies Inc., 203 A.2d 738 (Del. 2018). In Palantir, after a potential sale of the company fell through because Palantir allegedly thwarted the deal and KT$ sought information pursuant to its far-reaching rights under an “Investors Rights Agreement,” Palantir allegedly amended the agreement to curtail KT4’s rights. KT4 made a demand to inspect Palantir’s books and records under section 220 of the DGCL for the purpose of investigating “fraud, mismanagement, abuse and breach of fiduciary duty.” Palantir rejected the demand, and KT4 commenced a section 220 action in the Delaware Court of Chancery. Following trial, Vice Chancellor Slights held that KT4 had shown a proper purpose of investigating potential wrongdoing in multiple areas, including Palantir’s amendment of the Investors’ Rights Agreement in ways that “eviscerated” KT4’s contractual information rights after KT4 sought to exercise those rights. The court specifically held that KT4 was entitled to “all books and records relating to” the amendments to the Investors’ Rights Agreement. After the parties were unable to agree on whether the books and records to be produced were to include e-mails, the court issued a final order that excluded e-mails from the documents that Palantir would be required to produce. The court reasoned in part that e-mails were not essential to fulfill KT4’s stated investigative purpose, based on the (mistaken) understanding that Palantir possessed and would produce formal board-level documents relating to the amendments of the Investors’ Rights Agreement, rendering a further production of e-mail unnecessary for KT4’s purpose. 

KT4 appealed the Court of Chancery’s ruling. Importantly, on appeal, Palantir conceded that other than the amendments to the Investors’ Rights Agreement themselves, responsive nonemail documents did not exist, and that e-mails related to the amendments did exist. The Delaware Supreme Court held that the e-mails plaintiff sought were necessary and essential to investigating the alleged wrongdoing because the defendant admitted other, more traditional forms of books and records did not exist. Insofar as being required to produce e-mails was concerned, the Supreme Court viewed Palantir’s obligation as a self-inflicted wound. As the Supreme Court made clear, “if a company observes traditional formalities, such as documenting its actions through board minutes, resolutions and official letters, it will likely be able to satisfy a Section 220 petitioner’s needs solely by producing those books and records.” The court conversely cautioned that “if a respondent in a § 220 action conducts formal corporate business without documenting its actions in minutes and board resolutions or other formal means, but maintains its records of the key communications only in emails, the respondent has no one to blame but itself for making the production of those emails necessary.” 

* * *

The foregoing cases illustrate several principles inherent in any analysis of whether electronic communications will be ordered produced in section 220 litigation. First, electronic communications are deemed corporate records that may be ordered in section 220 proceedings, but only to the extent that they are “necessary and essential” to the plaintiff’s investigation. Second, whether or not the electronic communications reside on the corporation’s servers or personal devices, if they are necessary and essential to the plaintiff’s investigation, they may subject to an order compelling production. Third, although e-mails may be ordered to be produced in section 220 litigation, the cost and burden of such a production will weigh considerably in the court’s final determination. And finally, Palantir serves as an admonition to corporate boards and their counsel to be mindful to observe corporate formalities and appropriately document board meetings and actions through minutes, resolutions, and other official materials, and avoid conducting “formal corporate business . . . through informal electronic communications.” Absent proper recordkeeping and formal documentation of the board’s decisions, there is risk that a corporate respondent in a section 220 action may be ordered to produce e-mails as “necessary and essential” to satisfying a stockholder’s books and records demand.

Mr. Blanchard is a partner at Morgan, Lewis & Bockius LLP. He represents clients in all facets of shareholder litigation, class actions, securities enforcement matters, investigations, and business disputes. The views expressed by the author are his alone and are not the views of Morgan Lewis or the firms’ clients. This article is for information purposes only and does not constitute legal advice.

The following is excerpted from Chapter 16 of Law of Artificial Intelligence and Smart Machines: Understanding A.I. and the Legal Impact.

Robots, and autonomous vehicles (AVs) in particular, act in the physical world.  Accidents involving these systems are inevitable.  Some of these accidents will cause catastrophic injury for those involved in the accident.  Even worse, if a defect or cyber attack could compromise every instance of a particular robot or an entire network, fleet, or industry, the defect or attack could cause widespread simultaneous accidents throughout the country or even the world.  Imagine, for instance, a future in which regional transportation centers in metropolitan centers control the dispatch and navigation of AVs in the region.  Imagine further that a sudden defect causes all the AVs under control of the system to crash all at once in a major metropolitan area like New York.  The impact of such an event in terms of harm, property damage, injury, and deaths could easily exceed an event like the attacks on September 11, 2001.

In 2012, I had the opportunity to speak at the Driverless Car Summit presented by the Association of Unmanned Vehicle Systems International.  The conference organizers polled the audience which, although admittedly unscientific, did provide a data point about industry views on product liability.  One polling question asked attendees to identify the chief obstacle to the deployment of AVs, and the top answer was “legal issues.”  The proceedings of the conference identified this issue as well.[1]  Although the poll did not break down the issues among compliance and liability, I suspect that liability is the larger perceived issue.  Indeed, some people have identified product liability suits are an existential threat to autonomous driving.[2]

In the worst-case scenario for the industry, manufacturers could face numerous suits that force some of them to exit the robotics market and cause others to decide not to enter the market in the first place.  They could perceive that the sales are not worth the risk.  Such an outcome could be tragic if it results in manufacturers not bringing otherwise life-saving and socially beneficial robots to the market.  Manufacturers, however, can implement practices to minimize the likelihood, frequency, and magnitude of accidents, and thereby control the risk of liability.  By implementing these practices, manufacturers can maintain the profitability they would need to offer robots in the market.

Managing the Risk of Robot Product Liability

Given the large human and financial consequences of defective products, manufacturers seek to manage the risk of product liability litigation and costly recalls.  What can a robot, AV, or AI system manufacturer do to reduce the likelihood of company-ending product liability litigation?  Most importantly, if manufacturers can proactively prevent defects and resulting accidents from occurring in the first place, they can prevent the need to defend product liability claims.  Planning for improved safety can enable manufacturers to make safer products that are less likely to cause accidents and trigger product suits.

Of course, accidents may occur anyway and with any widely-deployed robot, AV, or AI system, a manufacturer can foresee that accidents are inevitable.  Nonetheless, a proactive approach to risk management would permit a manufacturer to put itself in the best position possible to prevail in product liability cases based on the inevitable accidents.  A proactive approach to design safety means that the manufacturer takes the steps today to implement a commitment to safety, which will minimize its risk from future suits.  History shows that juror anger fuels outsize verdicts.  If a proactive manufacturer takes the concrete and effective steps to implement a commitment to safety, it will be able to tell a future jury why its products were safe and how it truly cared about safety.  Such actions will place the manufacturer in the best possible light when, despite all these safety measures, an accident does occur.

Making the commitment to safety upfront is crucial.  As one commentator stated, “The most effective way for [counsel for] a corporate defendant to reduce anger toward his or her client is to show all the ways that the client went beyond what was required by the law
or industry practice.”[3]  Going beyond minimum standards is important because, first, juries may look at minimum standards skeptically, thinking that the industry set the bar too low.  Moreover, juries expect that manufacturers know more about their product than any ordinary “reasonable person,” which is the standard for judging a defendant in a negligence action.  Juries expect more from manufacturers.  “A successful defense can also be supported by walking jurors through the relevant manufacturing or decision-making process, showing all of the testing, checking, and follow-up actions that were included.  Jurors who have no familiarity with complex business processes are often impressed with all of the thought that went into the process and all of the precautions that were taken.”[4]  The most important thing to a jury is that the manufacturer tried hard to do the right thing.[5]  Accordingly, a manufacturer that goes above and beyond minimum industry standards is in the best position to minimize the likelihood of juror anger and minimize possible product liability risk.

Any proactive approach to product safety should begin with a thorough risk analysis.  A risk analysis would look at the types of problems that could arise with a product, how likely these problems could occur, and the likely frequency and impact of these problems.  After completing this analysis, a manufacturer can analyze its robot or AI product design in light of the risks.  It can change design and engineering practices to address potential issues and prioritize risk mitigation measures based on what it sees as the most significant risks.  In implementing this risk management process, a manufacturer may obtain guidance from a number of standards relevant to robots and AI systems.  In the field of AVs, examples include:

• ISO 31000 “Risk management – Guidelines” (regarding the risk management process).
• Software development guidelines from the Motor Industry Software Reliability Association.
• IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems (safety standard for electronic systems and software).
• ISO 26262 family of “Functional Safety” standards implementing IEC 61508 for the functional safety of electronic systems and software for autos.

Adherence to international standards may not insulate a manufacturer from liability, whether in front of a jury or as a matter of law.  Nonetheless, following international standards increases the credibility of a manufacturer’s risk management program.  Also, following standards helps a manufacturer create a framework of controls for its risk management process.  Such a framework would make implementation and assessment easier.  Therefore, organizing a risk management program based on the methods specified in international standards provides an important basis for defending later product liability litigation.

In addition to adhering to international standards, insurance will play an important role in managing robot and AI product liability risk.  Insurance functions to shift product liability risk to insurance carriers.  In exchange for paying a premium, a manufacturer’s insurance carriers will defend and indemnify manufacturers for losses and pay for settlements or judgments to resolve third party claims.  The insurance industry is in the early stages of understanding robot and AI risk and creating coverage that effectively manages risk.[6]  As businesses and consumers deploy robots and AI systems more broadly, insurers will create insurance programs for third party accident and liability risks.  Some of those risks may include privacy and security breaches.  One barrier to effective insurance programs is the lack of loss experience data to assist in the underwriting process.  To start writing policies for given robots or AI systems, however, insurance carriers are likely to look at analogous conventional products.[7]  In the short run, manufacturers may need to tailor-make insurance coverage with bespoke policies that fit their risk profiles.  Over time, carriers will enter the market and create standard policies, reducing premium costs over the longer run.

Beyond the most immediate internal safe design steps and insurance programs, manufacturers of a given type of robot or AI system may be able to act jointly to mitigate risk to the entire industry sector (subject to possible antitrust issues involving joint action).  For instance, they may work on safety and information security standards to promote safe practices within the industry sector.  Trade groups and purchasing consortia can help manufacturers promote the safety among component manufacturers.  Finally, an industry sector may want to create and maintain information sharing groups to develop and promote safety practices among industry participants.

During the design process, effective records and information management (RIM) will help a manufacturer document and evidence its commitment to safety.  Documents generated contemporaneously with the design process can memorialize a manufacturer’s safety program and the steps it takes to fulfill its commitment to safety.  In any product liability suit, a witness could certainly testify about the manufacturer’s safety program.  Nonetheless, without corroborating contemporaneously recorded documentation, there is a risk that the jury would find any such testimony to be self-serving and thus disbelieve it.  In this vein, wholesale destruction of all design documents of a certain age may be as bad as retaining too many documents.  Archiving the right documents in preparation of future litigation will help the business defend itself in the future.  Effective RIM may win cases, while poor RIM may lose cases.

Finally, some pre-litigation strategies may further reduce product liability risks.  For example, manufacturers can work with jury consultants to advise the manufacturer in the defense of a product liability case.  They can focus on ways the manufacturer can place its safety program in the best light to avoid impressions that would anger a jury.  Moreover, a manufacturer may want to create a network of defense experts familiar with their robotics or AI technologies.  These experts can help educate jurors about various engineering, information technology, and safety considerations.  Further, attorneys representing AI and robotics manufacturers may work within existing bar groups or form new ones to share specialized knowledge, sample briefs, case developments, and other information helpful to the defense of product liability cases.

[1] E.g., Autonomous Solutions Inc., 5 Key Takeaways From AUVSI’s Driverless Car Summit 2012 (Jul. 12, 2012) (“Some of the largest obstacles to autonomous consumer vehicles are the legalities.”).  Reports from Lloyd’s of London and the University of Texas listed product liability as among the top obstacles for AVs.  Lloyd’s, Autonomous Vehicles Handing Over Control:  Opportunities and Risks for Insurance 8 (2014) [hereinafter, “Lloyd’s Paper”]; University of Texas, Autonomous Vehicles in Texas 5 (2014).

[2] See, e.g., Tim Worstall, When Should Your Driverless Car From Google Be Allowed To Kill You?, Forbes, Jun. 18, 2014 (“the worst outcome would be that said liability isn’t sorted out so that we never do get the mass manufacturing and adoption of driverless cars”), http://www.forbes.com/sites/timworstall/2014/06/18/when-should-your-driverless-car-from-google-be-allowed-to-kill-you/.

[3] Robert D. Minick & Dorothy K. Kagehiro, Understanding Juror Emotions:  Anger Management in the Courtroom, For the Defense, July 2004, at 2 (emphasis added), http://www.krollontrack.com/publications/tg_forthedefense_robertminick-dorothyhagehiro070104.pdf.

[4] Id.

[5] See id.

[6] See generally Lloyd’s Paper, supra note 1.

[7] Cf. David Beyer et al., Risk Product Liability Trends, Triggers, and Insurance in Commercial Aerial Robots 20 (Apr. 5, 2014) (describing the development of insurance coverage for drones), available at http://robots.law.miami.edu/2014/wp-content/uploads/2013/06/Beyer-Dulo-Townsley-and-Wu_Unmanned-Systems-Liability-and-Insurance-Trends_WE-ROBOT-2014-Conference.pdf.

Introduction

A plaintiff is seeking class-action status in his lawsuit against Square, the electronics payments company. The facts as alleged are that the plaintiff received treatment from a medical provider who used Square to execute a credit-card payment for the medical service. Inexplicably thereafter, “Square allegedly sent a text message linking to a digital invoice with information about the treatment he received to a friend (of the patient allegedly without authorization).”

I know nothing about what happened with the Square technology, what information to which Square had access from the patient’s credit card, how Square uses the information it garners, or whether Square has access to user’s personal contacts, including their phone numbers. What I do know is that Square most assuredly did not want the alleged event to form the basis of a lawsuit and did not want negative coverage from the news outlets. Worse, as reported in the Wall Street Journal on July 2, 2019, “misfired receipts issued by Square have ruined surprise gifts, spilled secrets, informed spouses of the spending habits of their significant other and unnerved consumers who wonder how stores got their contact information when they don’t remember providing it . . . .”

Self-preservation and stock valuations would seem to dictate that these news reports and lawsuits are not good for business. I believe Square is a good corporate citizen. I also believe Square, like so many other businesses, do not actually know how they handle all of the information to which they have access in every given situation. It is easy to be critical of Square’s alleged failure but much more difficult to be perfect when managing information today because there is so much of it, and it is moving at the speed of light through networks the company does not necessarily own or control.

Most companies are at a tipping point as they collect, grab, mismanage, misdirect, expose, lose, and improperly share electronic information day in and day out with greater downside, and they are not fixing the problem because most businesses do not have a good sense of the electronic information assets in their “care, custody or control.” However, there are constructive measures that businesses can take that won’t break the bank, can add value, and can even be accretive to the bottom line.

This article is meant for every business because every business has information, and every business could be doing a better job at wrangling it.

Why Every Company Should Know More About Its Information

Like any company asset, the company and its executives are remiss if they mismanage any company information asset. That is why every container moving through the global shipping network is tagged, monitored, and essentially babysat so that the owner of the container or its contents—or the truck, train, or ship on which the container sits—know its whereabouts at all times. Similarly, produce growers who sell their products through a major retailer, for example, are using blockchain technology to create an immutable record that travels with the plant from sprout to plate to document provenance and safety. Such technology would allow immediate recall if claims of product adulteration are alleged. Payments to vendors above a certain amount require the approval of higher-level executives who are specifically tasked with managing company assets. Company inventories are generally tightly controlled with sophisticated barcoding and GPS because loss or pilferage impacts the bottom line.

When it comes to managing information assets, however, most companies are not managing information like other company assets, and that must change. After all, information allows the company to better respond to customer needs, plan for the future, and generally advance business while protecting legal interests. That is just the beginning: information is increasingly a commodity that is sold, traded, and transformative for a business. That is certainly worth protecting, but information is still the often-discussed valuable “step-child” to whom companies do not show nearly enough real love.

What Is “Care, Custody, and Control” in 2020?

In the old days before the widespread use of computers, having control over company information was not really an issue. Information existed in paper form at employees’ desks or in banker’s boxes at a storage facility. The proliferation of information was limited to the copy machine, and companies did not really have to worry much about having their information exposed or stolen in wholesale form.

Then came the roaring 1990s with the growth of the internet, e-mail, and networked systems that changed the calculus completely. Information became transportable and easily misdirected or misappropriated. Controlling information was a completely new paradigm. Further confounding matters was that more business processes were outsourced, which meant that third parties working on behalf of companies arguably now had “care, custody, and control” over company information and may have believed that the information was theirs. The move to the Cloud complicated things still further as more and more company information was stored in another company’s servers, and doing business in social media environments meant that evidence of those transactions was “trapped” in someone else’s software and/or hardware. In other words, in this brave new information world, knowing what information is yours, where it is, who else has access to it, and what contracts give others rights to use it has created a completely new challenge.

Six Steps to Take Stock

Not surprisingly, getting a handle on your information assets to take back control is essential, but is not so simple. Businesses should take the following six steps to better control their electronic information.

1. Take an Inventory

The only way to know what information resources a company possesses is by looking. That doesn’t mean that the company can inventory each and every file, but rather use tools (some of which the company likely already owns) to understand what information exists, the business units to which it relates, and the storage locations and servers on which it is parked, etc. What is in the structured databases, and what information resides in unstructured share drive environments? What is the aging and continued use of the data? Do records retention rules allow the information to be disposed? This can do several valuable things. Knowing where your information lives will promote a methodical and less burdensome litigation response and discovery process. Assessing content using analytics tools can help unearth trade secrets and personally identifiable information (PII) that is stored in locations that pose a greater risk of exposure. Mostly, however, knowing what information assets the company possesses and where the information is promotes a better business in various ways.

2. Understand What Contracts Dictate

Every business unit likely has various business relationships with partners and third parties working on behalf of the company. Those relationships likely have been memorialized in contracts, which may delineate who owns the information, what rules apply to it, who can use it and how and with whom it can be shared, what happens when litigation arises, etc. The company should develop a process to understand what contracts exist that implicate company information. Thereafter, the company should develop standardized language for contracts that deal with all relevant information issues, such as access, ownership, responsibilities, and costs in responding to requests for information and so on. Building consistency in contracts through proactive, well-thought-out, boilerplate language will begin to build a better information ecosystem.

There is another contract activity that should be undertaken as well. Companies should know what “agreements” exist between the company and customers or potential customers. If a company tells employees information will not be shared, then the company must comply. Saying the company is complying and making sure everyone is actually complying is a different story. Conduct routine audits to ensure the company and all of its movable parts are following suit. One last thing is that contract language telling nonlawyers about what the company may do with information should be devoid of legalese and should be brain-dead simple. In this environment, saying the customer “waived” his or her right to object to the company selling information because the customer could have reviewed the linked legal language (which is multiple pages of lawyerly drivel) is not prudent.

3. Assess Third-Party Actions

Separate but related to step two is getting a handle on what is being done with your information. Beyond contract language, what third parties have access to or use of your company information? Once it is determined who, it’s important to understand what others are doing with that information. The Facebook/Cambridge Analytica fiasco is a good reminder of why it is important to understand not only what your employees are doing, but also what others may be doing as well.

Additionally, your company should understand what its own employees are doing with other companies’ or individuals’ information inside your company. If a business unit shares information from a partner it did not realize should not be shared, there could be substantial consequences. In other words, your company should be on top of where its information comes from and where it goes at a macro level to help promote less information chaos, mitigate liability, and better its business.

4. Assess What Employees Do in the Company’s Name in the Social World

If your company is like most today, multiple business units are doing real business in various social network or media environments. Maybe it is looking for new hires or marketing products and doing competitive analysis. That is great for business, but invariably the company is parking company information in an environment that is outside its control. The social environments are not inclined to accommodate your information needs and apply your information rules, even if you are paying for their service.

5. Understand Where Employees Park Company Information

With the proliferation of cloud computing and working from home came the reality that company information moves to myriad places without the company knowing. With data loss prevention (DLP) tools and similar monitoring applications, companies increasingly can watch and stop the movement of data leaving it, but the reality is that more and more information is parked outside a company computer by more and more employees for various reasons. Efforts should be undertaken to reign that in through policy and technology to monitor and audit the flow of information.

6. Understand Information Created by IoT Devices

Increasingly, noncomputing devices that assess, collect, or distribute information in many business processes (commonly referred to as IoT) are being added to companies usually without much thought about the information output created. Companies must assess each and every business process that is using an IoT device or appliance and determine what information is collected, by whom, where the information is stored, and who has access to and use of it.

Create an Information Asset Register

Whether it is inventorying databases, understanding what third-party applications are used to conduct business, or applying IoT devices likely transforming your business, keeping track of this organically growing and morphing ecosystem of information is increasingly complex and begs for management. One of the concrete steps companies can take to address the chaos is to centralize the process of sizing up all the information inputs and outflows in an Information Asset Register (IAR). This process will routinize the collection of information, and the IAR will provide a centralized view of all things information that can drive business efficiency and mitigate risk.

Avoiding Things That Explode

The information landscape of most companies looks like the data equivalent of a “yard sale”—stuff everywhere without rhyme or reason; chaos that does not reflect the true value of the objects. What we have learned from so many horror stories is that every company is on the brink of disaster if it does not get its informational act together. Put another way, mismanagement has no upside, loads of downside, and there are ample horror stories to prove it.

For example, Facebook regularly graces the front cover of many news outlets with yet another story of how it is “breaching the public trust” or exposing, selling, or otherwise misusing personal information. Because of prior issues, Facebook must now deal with a steady diet of U.S. and foreign regulators seeking to ensure it is following past agreements and not running afoul of the law anew.

Whether it is a litigation headache with a cloud provider who does not have the technical personnel available to accommodate helping with discovery requests on your tight timeframe, or the inability to find the final contract documenting in an important transaction, information mismanagement is bountiful, inconvenient, and expensive.

The Tale of Two Companies

A client recently realized that it had tens of thousands of information storage tapes on which it had never conducted discovery despite the fact that the company has hundreds of active lawsuits at any given time. That’s a company problem waiting to explode. As the head of an information governance consultancy, we have helped many companies clean up their information chaos, sometimes reactively and sometimes proactively. In the process, we have learned that being proactive is much less costly and painful.

Another client is migrating to Office 365 and rather than move outdated digital data detritus, we helped them clean out the crud. That’s a company taking stock now so that it doesn’t explode later. That same client just finished a project to crawl their share drive environments and e-mail to find and lock down all PII. Although this client used our help, great companies have great employees who can get a lot accomplished with thought, planning, and guidance from their lawyers. In other words, just because cleaning up the past is tough doesn’t mean you can’t or shouldn’t do it.

Conclusion—The Gift That Keeps Giving

If you have had any bad information event, what you quickly realize is that problems tend to be more painful than originally expected. For example, a west coast gas and electric company penalized by the state for failing to properly manage records now has a regulator routinely in the company’s “shorts,” ensuring it takes the necessary corrective action for years to come. Additionally, an attack on the way your company managed information on one occasion can be extrapolated to all situations if the same process and technology is always used. Finally, Facebook is a reminder that breaching the trust of users or customers comes with a heavy price. The court of public opinion is difficult to change, and the last thing your company wants to lose is its customers. Information flows and customers vote with their feet. Take stock now.

Randolph Kahn’s forthcoming book The Executive’s Guide to Navigating the Information Universe will help companies understand the opportunities and risks presented by harnessing and harvesting information.